XCOEX Privacy Policy

Definitions

Company: XCHG Digital OÜ. Registered in Estonia with a company number: 14562820
Mobile Platform: An application that is distributed by the Company through AppStore or Google Play
Website Platform: A website that is operated by the Company and available at https://xcoex.com/ or xcoex website with different domain extensions (for example, https://xcoex.mt)
Platform(s): Collective name that can refer to either or both the Mobile and Website Platforms
XCOEX: Collective name that can refer to either or both the Platform and the Company
Privacy Policy: Latest version of the XCOEX Privacy Policy
User: An individual user starting at age 18 or a legal entity that has read and agreed to the Terms of Business of XCOEX and uses services of the Company provided through the Mobile or Website Platforms.
May or may not have an account with the company
GDPR: The General Data Protection Regulation (EU) 2016/679
KYC or Due Diligence: Procedure done by XCOEX for User information and identity verification purposes according to applicable laws and Anti-Money Laundering policy of the Company

Purpose, Scope and Other Definitions

The Policy is meant for use by XCOEX’s Users.
XCHG Digital OU represents an entity that has prepared the Platform and allows Users to receive and exchange virtual currency by using the Platform.

XCHG Digital OU is a company registered in Estonia that has developed and governs the Platform and services, products and content that is accessible through and offered on the Platform.

The Company is compliant with the applicable Estonian and international laws for the Prevention of Money Laundering and Terrorist Financing, the General Data Processing Regulation, as well as other legislation applicable in Estonia.
The Company has established this Privacy Policy in accordance with General Data Processing Regulation and laws, regulations and/or directives issued pursuant to GDPR.

This policy aims to provide Company’s Users with information on what type of information the Company collects, how it is used and the circumstances in which it could be shared with third parties.

Throughout this privacy statement, User’s data may be called either “personal data” or “personal information”. The Company may also sometimes collectively refer to handling, collecting, protecting and storing User’s personal data or any such action as “processing” of such personal data.

For the purposes of this statement, personal data shall mean any information relating to the User, which identifies or may identify the User and which includes, for example, User’s name, address and identification number.

The present Privacy Statement aims to help you better understand the most recent changes to the Privacy Policy and Cookie Policy and how they may affect the Users. To understand the changes in full, the User will need to read the entire Privacy Policy and Cookie Policy.

Collection of personal data

The Company shall collect information necessary to fulfil legal obligations for the provision of services and to improve its service to you.
XCOEX will gather information and documentation to identify, contact or locate Users and may gather information from third parties and or other sources, which will help it to offer its services effectively.
As a User, an individual is responsible for providing true and accurate information and for keeping the Company informed of any changes in User’s personal information or circumstance by emailing XCOEX’s support ([email protected]).

Purpose of collecting and processing personal data

According to the Estonian and International laws for the Prevention of Money Laundering and Terrorist Financing, as well as in order to enhance User support, User’s personal data will be used for specific, explicit and legitimate purposes.

Performance of contractual obligations

The personal data collected from Users is used to verify User’s identity for Due Diligence purposes, to manage User’s account on the Platform, to process User’s transactions, to provide Users with post-transaction information, to inform Users of additional products and/or services relevant to the User’s profile, to produce analysis and statistical data which will help the Company improve its products and services, and improve the Platform.

Identity Verification purposes

The Company needs to perform its Due Diligence process and apply the principles of KYC before entering a business relationship with any User in order to prevent illegal actions, such as money laundering or terrorist financing, and to perform other duties imposed by law.

The Company collects from its Users identity verification information (such as copies, images or scans of User’s government-issued national ID card or international passport, or other government-issued proof of identification) or other authentication information. XCOEX also requests its Users to provide the Company with a recent utility bill in order to verify the User’s residential address. Further to this, the Company can use third parties to carry out identity verification on its behalf.

Compliance with legal obligations

There are a number of legal obligations arising from the relevant laws to which the Company is subject, as well as other statutory requirements.

Such obligations and requirements impose on XCOEX the necessity to perform personal data processing activities for credit checks, identity verification, compliance with court orders, tax law or other reporting obligations and anti-money laundering controls.

Purposes of safeguarding legitimate interests

The Company processes personal data to safeguard legitimate interests pursued by XCOEX or by a third party. A legitimate interest is when XCOEX has a business or commercial reason to use the User’s information. Even then, it must not unfairly go against what is right and best for the User.
Examples of such processing activities include:

initiating court proceedings and preparing our defence in litigation procedures;
measures and processes we undertake to provide the Company’s IT and system security, preventing potential crime, asset security, admittance controls and antitrespassing measures;
measures to manage business and further develop the Company’s products and services;
the transfer, assignment (whether outright or as security for obligations) and/or sale to one or more persons and/or charge and/or encumbrance over, any or all of the Company’s benefits, rights, title or interest under any agreement between the User and the Company.

Marketing Purposes

The Company may use User data, such as location or transaction history to deliver any news, analysis, research, reports, campaigns or training opportunities that may interest the User, to their registered email address.

User always has the right to change the option if they no longer wish to receive such information.

Controlling and processing User’s personal data

The Company and any agents that it engages for the purpose of collecting, storing or processing personal data and any third parties acting on the Company’s behalf may collect, process and store personal data provided by the User.
For the purpose of processing and storage of personal data provided by the User in any jurisdiction within the European Union or outside of the European Union, the Company hereby confirms that this will be done in accordance with all applicable laws.

Authorised Processor

The company may also use authorised external processors for User data processing based on concluded service agreements, which are governed by instructions from the Company for the protection of User-related data. The agreements are important so that both parties understand their responsibilities and liabilities.
The GDPR sets out what needs to be included in the agreement, which the Company has adhered to; the below is not an exhaustive list of the obligations of all relevant parties;

such third parties must only act on the written instructions of the Company (unless required by law to act without such instructions);
ensure that people processing the data are subject to a duty of confidence;
take appropriate measures to ensure the security of processing;
the rights of Users will not be impaired in meeting with GDPR requirements;
the security of processing, the notification of personal data breaches and data protection impact assessments will not be impaired;
deletion or return of all personal data as requested at the end of the contract.

Such providers will provide various services as agreed upon with the Company.

XCOEX has a regulatory obligation to supervise and effectively oversee the outsourced functions and to act appropriately when it determines that the service provider is not performing the said functions effectively and in accordance with applicable legislation.

XCOEX may use or disclose personal information without User’s consent only in certain circumstances:

if required by law or by order of a court, administrative agency, or other government entities;
if there are reasonable grounds showing disclosure is necessary to protect the rights, privacy, property, or safety of users or others;
if the Company believes the information is related to a breach of an agreement or violation of the law, that has been, is being, or is about to be committed;
if it is necessary for fraud protection, risk reduction, or the establishment or collection of funds owed to the Company;
if it is necessary to enforce or apply the Terms and Conditions and other agreements, to pursue remedies, or to limit damages to the Company;
for other reasons allowed or required by law;
if the information is public.

When the Company is required or permitted to disclose information without consent, the Company will not disclose more information than necessary to fulfil the disclosure purpose.

XCOEX urges all Users to maintain confidentially and not share with others their usernames or passwords whether private or as provided by the Company. The Company bears no responsibility for any unlawful or unauthorised use of Users’ personal information due to misuse or misplacement of Users’ access codes (i.e. passwords /credentials), negligent or malicious, however conducted.

How the Company treats User’s personal data for marketing activities

The Company may process User’s personal data to inform Users about products, services or offers that may be of interest to them. The personal data that XCOEX processes for this purpose consists of information Users provide to the Company and data XCOEX collects and/or infers when Users use the services on the Platform, such as information on User’s transactions. The Company studies all such information to form a view of what is needed or what may be of interest to the Users.

In some cases, profiling may be used. Profiling is a process where User’s data is automatically processed with the aim of evaluating certain personal aspects and further providing the User with targeted marketing information on products.

XCOEX can only use User’s personal data to promote its products and services if XCOEX has the User’s explicit consent to do so – by clicking the check box when filling out the form to open an account or, in certain cases, if the Company considers that it is in the User’s legitimate interest to do so.

Further, Users have the option to choose whether they wish to receive marketing-related emails (Company news, information about campaigns, the Company’s newsletter, the Company’s strategic report, etc.) sent to the User’s provided email address by clicking the relevant check box when filling out the form to open an account.

Users have the right to object at any time to the processing of User’s personal data for marketing purposes or unsubscribe from receiving marketing-related emails from the Company, by contacting the Company’s User support department at any time in the following ways:

by Email: [email protected]
website customer support

Period of keeping User’s personal information

The Company will keep User’s personal data for:

As long as a business relationship exists with the User, either as an individual or a legal entity, which the User is authorised to represent or of which the User is a beneficial owner;
Once business relationship with a User has ended, the Company is required to keep the User’s data for a period of five years to meet regulatory and legal requirements. In some cases, this period may be extended.

When Company no longer needs to keep User’s personal data, it will securely delete or destroy it.

User’s rights

User has the right to request copies of his/hers personal data. Information must be provided without delay and within one month of receipt of request at the latest. The Company may extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, it will inform Users within one month of the receipt of request and explain why the extension is necessary.

XCOEX must provide a copy of the information free of charge. However, the Company can charge a “reasonable fee” when a request is manifestly unfounded or excessive, particularly if it is repetitive.

The fee, if applied, will be based on the administrative cost of providing the information and on delivery expenses if the User requests that the information be delivered in hard copy. If at any time the Company refuses to respond to a request, it will explain why to the User, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and within one month at the latest.

When information is provided

The Company will verify the identity of the person making the request, using reasonable means.

When should personal data be rectified?

Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. The GDPR provides for a right for individuals to have inaccurate personal data rectified or completed if it is incomplete. Users can make a request for rectification verbally or in writing.
If XCOEX has disclosed the personal data in question to others, it must contact each recipient and inform them of the rectification, unless this proves impossible or involves disproportionate effort. If asked to, the Company must also inform the individuals about these recipients.

How long does the company have to comply with a request for rectification?

The Company must respond within one month.
This can be extended by two months where the request for rectification is complex.
Where the Company does not take action in response to a request for rectification, XCOEX must explain to the individual why this is not done, informing them of their right to complain to the supervisory authority and to a judicial remedy.

User’s right to erasure

The right to erasure does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing in specific circumstances:

where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed;
when the individual withdraws consent;
when the individual objects to the processing and there is no overriding legitimate interest to continue the processing;
when the personal data was unlawfully processed (i.e. otherwise in breach of the GDPR);
when the personal data has to be erased in order to comply with a legal obligation;
when the personal data is processed in connection with the offer of information society services to a child.

There are some specific circumstances where the right to erasure does not apply and the Company can refuse to execute the request.

When can the Company refuse to comply with a request for erasure?

XCOEX can refuse to comply with a request for erasure where the personal data is processed for the following reasons:

to comply with a legal obligation for the performance of a public interest task or exercise of official authority;
the exercise or defence of legal claims.

Does the Company have to tell other organisations about erasure of personal data?

If XCOEX has disclosed the personal data in question to others, it must contact each recipient and inform them of the erasure of personal data, unless this proves impossible or involves disproportionate effort. If asked to, the Company must also inform the individuals about these recipients.

User’s right to restrict processing

When does the right to restrict processing apply?
The Company will be required to restrict the processing of personal data in the following circumstances:

where an individual contests the accuracy of the personal data, the Company should restrict its processing until the individual has verified its accuracy;
where an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and the Company is considering whether the organisation’s legitimate grounds override those of the individual;
when processing is unlawful, and the individual opposes erasure and requests restriction instead;
if the Company no longer needs the personal data but the individual requires the data to establish, exercise or defend a legal claim.

The Company may need to review procedures to ensure it is able to determine when it may be required to restrict processing of personal data.

If the Company has disclosed personal data in question to others, it must contact each recipient and inform them of the restriction on processing the personal data, unless this proves impossible or involves disproportionate effort. If asked to, XCOEX must also inform the individuals about these recipients.

User’s right to data portability

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
It enables consumers to take advantage of applications and services, which can use this data to find them a better deal or help them understand their spending habits.
XCOEX will respond without undue delay, and within one month. This can be extended by two months where the request is complex or where the Company may receive a number of requests. XCOEX will inform the individual within one month of receipt of the request and explain why the extension is necessary, if applicable.
Where the Company does not take action in response to a request, it will explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and within one month at the latest.

User’s right to object

Users have the right to object to:

processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
direct marketing (including profiling);
processing for purposes of scientific/historical research and statistics.

XCOEX will stop processing personal data unless:

the Company can demonstrate compelling legitimate grounds for such processing, which override the interests, rights and freedoms of the individual; or
the processing is for establishment, exercise or defence of legal claims.

Automated decision-making

In establishing and carrying out a business relationship, the Company generally does not use any automated decision-making. XCOEX may process some of the User’s data automatically, with the goal of assessing certain personal aspects (profiling), in order to enter into or perform a contract with Users for data assessments (including on payment transactions), which are carried out in the context of combating money laundering and fraud. An account may be detected as being used in a way that is unusual for a User or User’s business. These measures may also serve to protect Users and their assets or private data.

Geographical area of processing

As a general rule, User data is processed within the European Union/European Economic Area (EU/EEA), but in some cases it is transferred to and processed in countries outside the EU/EEA.
The transfer and processing of User data outside the EU/EEA can take place, provided there are appropriate safeguards in place and the actions are made based on a legal basis only. Upon request, the User may receive further details on User data transfers to countries outside the EU/EEA.

Other related information

XCOEX uses appropriate technical, organisational and administrative security measures to protect any information it holds in its records from loss, misuse, unauthorised access, disclosure, alteration or destruction. Unfortunately, no company or service can guarantee complete security. Unauthorised entry or use, hardware or software failure and other factors may compromise the security of User information at any time.

Among other practices, User’s account is protected by a password for User’s privacy and security. Users must prevent unauthorised access to User’s account and Personal Information by selecting and protecting User’s password carefully and limiting access to User’s computer or device and browser by signing off after finishing accessing the User’s account.

Transmission of information via regular email exchange is not always completely secure. The Company, however, exercises all possible means to protect Users’ personal data; yet it cannot guarantee the security of User data that is transmitted via email; any transmission is at the Users’ own risk. Once the Company has received User information it will use procedures and security features in an attempt to prevent unauthorised access.

When Users email the Company (via the “Contact Us” page or by using the Live Chat feature) a person may be requested to provide some additional personal data, like their name or email address. Such data will be used to respond to their query and verify their identity. Emails are stored in the Company’s standard internal contact systems which are secure and cannot be accessed by unauthorised external parties.

Raising a concern

Users have the right to be confident that XCOEX handles User’s personal information responsibly and in line with good practices.
If a User has a concern about the way the Company handles User’s information, or if a User feels the Company may, for example;

not keep User’s information secure;
hold inaccurate information about the User;
have disclosed information about the User;
keep information about the User for longer than is necessary; or
collect information for one reason and use it for something else;

The Company takes all concerns seriously and will work with the User to resolve any such concerns.

Any concerns and/or requests may be raised with the appointed Data Protection Officer whose contact information is below:
Email: [email protected]

If the User is not satisfied with any response provided by the Company, the User has a right to raise such matters with the Estonian Data Protection Inspectorate;

E-mail address: [email protected]
Estonian Data Protection Inspectorate
39 Tatari St., 10134 Tallinn, Estonia
Phone: (from abroad add +372) 627 4135

The User has the right go to court or to escalate their complaint to the data protection regulator in their jurisdiction for the protection of rights, unless applicable laws prescribe a different procedure for handling such claims.

Changes to this privacy statement

The Company reserves the right to modify or amend this Privacy Statement unilaterally at any time in accordance with this provision.

If any changes are made to this privacy statement, the Company shall notify the Users accordingly. The revision date shown at the end of this page will also be amended. The Company does, however, encourage the Users to review this privacy statement occasionally so as to always be informed about how the Company processes and protects the User’s personal information.

Cookies

The Company’s website uses small files known as cookies to enhance its functionality and improve User’s experience.

A cookie is a small text file that is stored on a User’s computer for record-keeping purposes. The Company uses cookies on the Platform(s). XCOEX links the information it stores in cookies to any personally identifiable information the User submits while on the Platform. XCOEX uses both session ID cookies and persistent cookies. A session ID cookie does not expire when the User closes the browser. A persistent cookie remains on User’s hard drive for an extended period of time. A User can remove persistent cookies by following directions provided in the User’s Internet browser's “help” file.

The Company sets persistent cookies for statistical purposes. Persistent cookies also enable the Company to track and target the location and interests of the Users and to enhance the experience of Company’s services on the Platform.

If a User rejects cookies, the User may still use the Platform.

Some of Company’s business partners use cookies on the Platform. The Company has no access to or control over these cookies.

Monitoring and Review

The Company will monitor the effectiveness of this Policy on a regular basis and, in particular, the quality of execution of the procedures explained in the Policy and, where appropriate, it reserves the right to correct any deficiencies.

In addition, the Company will review the Policy at least annually. A review will also be carried out whenever a material change occurs that affects the ability of the Company to continue to the best possible result for the execution of its Users’ orders on a consistent basis using the venues included in this Policy.

The Company will inform its Users of any material changes to this Policy by posting an updated version of this Policy on its Website(s).